How are connections differentiated from behind NAT routers?

Background: I have a very simple server program written in PHP. It's mostly working, but only as long as there is not more than one client per site.

Questions:

  1. How does a NAT Router (typical SOHO router) know which internal client to send returning traffic?
  2. What methods might I use to differentiate between multiple clients behind NAT routers?

Solution 1:

NAT routers would rewrite the source orig-ip:orig-port tuple of outbound UDP packets to nat-ip:nat-port and maintain a relations table between orig-ip:orig-port and nat-ip:nat-port so UDP answer packets arriving with nat-ip:nat-port as the destination could be mapped back to the orig-ip:orig-port destination. For details on how a NAT implementation might handle things, take a look at how connection tracking is implemented in Linux.

If your implementation does not allow for a changing client port number, it simply would not be guaranteed to work behind NAT routers. It might be working for one client as many implementations would try use the same source port number as the original packet's, if available, so so nat-port would be equal to orig-port for the first client's connection. But as this port becomes unavailable, subsequent attempts would inevitably lead to a condition where nat-port is different from orig-port.

So the basic "key" you would need to differentiate betwen different clients would be the client's source UDP port. Your server chat application needs to generate UDP packets going to the same destination port it received a client packet initiating the chat connection from - creating pretty much the same situation you have with established TCP sessions.

Solution 2:

The router for the 192.168.1.x network assigns each outbound connection a unique source port on the Internet side. When the router gets a reply, it looks up the port the packet was sent to in its NAT table and that tells it what IP and port to put as the destination on the LAN side.

When a packet is sent from the LAN side to the Internet side, the router checks its NAT table. If there's no entry corresponding to that local source IP address, local source port, remote IP address and remote port, one is created. A new destination port address is assigned. The packet is sent to the Internet with the source IP rewritten to the router's Internet IP and the source port rewritten to the assigned source port.

When a packet is received on the Internet side, the router checks the destination port in its NAT table. If there's no entry corresponding to that remote IP and destination port, the packet is dropped (unless something else the router is doing wants it). If it is, the destination IP address is changed to the correct local IP address, the destination port is changed to the original local source port, and the packet is sent to the LAN.

The "unique ID" you speak of is the combination of the remote IP address the local machine wants to communicate with and the local source port chosen by the router.